* Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. - Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content." - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content. - Allow pcp_pmie and pcp_pmlogger to read all domains state. - Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717 - Merge pull request #108 from rhatdan/rkt - Merge pull request #109 from rhatdan/virt_sandbox - Add new interface to define virt_sandbox_network domains - Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port. - Fix typo in drbd policy - Remove declaration of empty booleans in virt policy. - Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. - Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files. - Additional rules to make rkt work in enforcing mode - Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 - Allow ipsec to use pam. rhbz#1317988 - Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968 - Allow setrans daemon to read /proc/meminfo. - Merge pull request #107 from rhatdan/rkt-base - Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used. - Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
This commit is contained in:
parent
cdb2ae4578
commit
3f0021e9f3
Binary file not shown.
@ -3495,7 +3495,7 @@ index 7590165..d81185e 100644
|
||||
+ fs_mounton_fusefs(seunshare_domain)
|
||||
')
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 33e0f8d..9502a72 100644
|
||||
index 33e0f8d..b94f32f 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -1,9 +1,10 @@
|
||||
@ -3518,16 +3518,7 @@ index 33e0f8d..9502a72 100644
|
||||
/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -59,6 +61,8 @@ ifdef(`distro_redhat',`
|
||||
/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
+/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -67,18 +71,33 @@ ifdef(`distro_redhat',`
|
||||
@@ -67,18 +69,33 @@ ifdef(`distro_redhat',`
|
||||
/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3561,7 +3552,7 @@ index 33e0f8d..9502a72 100644
|
||||
|
||||
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@@ -101,8 +120,6 @@ ifdef(`distro_redhat',`
|
||||
@@ -101,8 +118,6 @@ ifdef(`distro_redhat',`
|
||||
|
||||
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -3570,7 +3561,7 @@ index 33e0f8d..9502a72 100644
|
||||
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -116,6 +133,9 @@ ifdef(`distro_redhat',`
|
||||
@@ -116,6 +131,9 @@ ifdef(`distro_redhat',`
|
||||
|
||||
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -3580,7 +3571,7 @@ index 33e0f8d..9502a72 100644
|
||||
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -135,10 +155,12 @@ ifdef(`distro_debian',`
|
||||
@@ -135,10 +153,12 @@ ifdef(`distro_debian',`
|
||||
/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3594,7 +3585,7 @@ index 33e0f8d..9502a72 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',`
|
||||
@@ -149,10 +169,12 @@ ifdef(`distro_gentoo',`
|
||||
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
@ -3608,7 +3599,7 @@ index 33e0f8d..9502a72 100644
|
||||
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',`
|
||||
@@ -168,6 +190,7 @@ ifdef(`distro_gentoo',`
|
||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3616,7 +3607,7 @@ index 33e0f8d..9502a72 100644
|
||||
|
||||
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',`
|
||||
@@ -179,34 +202,50 @@ ifdef(`distro_gentoo',`
|
||||
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
@ -3676,7 +3667,7 @@ index 33e0f8d..9502a72 100644
|
||||
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',`
|
||||
@@ -218,19 +257,32 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3716,7 +3707,7 @@ index 33e0f8d..9502a72 100644
|
||||
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',`
|
||||
@@ -245,26 +297,40 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3762,7 +3753,7 @@ index 33e0f8d..9502a72 100644
|
||||
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',`
|
||||
@@ -280,10 +346,14 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3777,7 +3768,7 @@ index 33e0f8d..9502a72 100644
|
||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',`
|
||||
@@ -298,16 +368,22 @@ ifdef(`distro_gentoo',`
|
||||
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3802,7 +3793,7 @@ index 33e0f8d..9502a72 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -325,20 +403,27 @@ ifdef(`distro_redhat', `
|
||||
@@ -325,20 +401,27 @@ ifdef(`distro_redhat', `
|
||||
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -3831,7 +3822,7 @@ index 33e0f8d..9502a72 100644
|
||||
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -346,6 +431,7 @@ ifdef(`distro_redhat', `
|
||||
@@ -346,6 +429,7 @@ ifdef(`distro_redhat', `
|
||||
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -3839,7 +3830,7 @@ index 33e0f8d..9502a72 100644
|
||||
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@@ -387,17 +473,34 @@ ifdef(`distro_suse', `
|
||||
@@ -387,17 +471,34 @@ ifdef(`distro_suse', `
|
||||
#
|
||||
# /var
|
||||
#
|
||||
@ -18124,7 +18115,7 @@ index 7be4ddf..9710b33 100644
|
||||
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
|
||||
+/sys/kernel/debug/.* <<none>>
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index e100d88..65a3b6d 100644
|
||||
index e100d88..c652350 100644
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
+++ b/policy/modules/kernel/kernel.if
|
||||
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
|
||||
@ -18135,7 +18126,7 @@ index e100d88..65a3b6d 100644
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
@ -18755,7 +18746,7 @@ index e100d88..65a3b6d 100644
|
||||
## Unconfined access to kernel module resources.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2972,5 +3284,630 @@ interface(`kernel_unconfined',`
|
||||
@@ -2972,5 +3284,649 @@ interface(`kernel_unconfined',`
|
||||
')
|
||||
|
||||
typeattribute $1 kern_unconfined;
|
||||
@ -19309,6 +19300,25 @@ index e100d88..65a3b6d 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Dontaudit write usermodehelper state
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`kernel_dontaudit_write_usermodehelper_state',`
|
||||
+ gen_require(`
|
||||
+ type usermodehelper_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 usermodehelper_t:file write;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Relabel to usermodehelper context .
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -28312,7 +28322,7 @@ index 6bf0ecc..e6be63a 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index 8b40377..23560f0 100644
|
||||
index 8b40377..436b1e0 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,28 +26,66 @@ gen_require(`
|
||||
@ -28906,7 +28916,7 @@ index 8b40377..23560f0 100644
|
||||
|
||||
storage_dontaudit_read_fixed_disk(xdm_t)
|
||||
storage_dontaudit_write_fixed_disk(xdm_t)
|
||||
@@ -442,28 +643,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||
@@ -442,28 +643,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
|
||||
storage_dontaudit_raw_write_removable_device(xdm_t)
|
||||
storage_dontaudit_setattr_removable_dev(xdm_t)
|
||||
storage_dontaudit_rw_scsi_generic(xdm_t)
|
||||
@ -28918,6 +28928,7 @@ index 8b40377..23560f0 100644
|
||||
+term_use_all_terms(xdm_t)
|
||||
+term_relabel_all_ttys(xdm_t)
|
||||
+term_relabel_unallocated_ttys(xdm_t)
|
||||
+term_getattr_virtio_console(xdm_t)
|
||||
|
||||
auth_domtrans_pam_console(xdm_t)
|
||||
-auth_manage_pam_pid(xdm_t)
|
||||
@ -28955,7 +28966,7 @@ index 8b40377..23560f0 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
|
||||
userdom_create_all_users_keys(xdm_t)
|
||||
@@ -472,24 +689,163 @@ userdom_read_user_home_content_files(xdm_t)
|
||||
@@ -472,24 +690,163 @@ userdom_read_user_home_content_files(xdm_t)
|
||||
# Search /proc for any user domain processes.
|
||||
userdom_read_all_users_state(xdm_t)
|
||||
userdom_signal_all_users(xdm_t)
|
||||
@ -29125,7 +29136,7 @@ index 8b40377..23560f0 100644
|
||||
tunable_policy(`xdm_sysadm_login',`
|
||||
userdom_xsession_spec_domtrans_all_users(xdm_t)
|
||||
# FIXME:
|
||||
@@ -502,12 +858,31 @@ tunable_policy(`xdm_sysadm_login',`
|
||||
@@ -502,12 +859,31 @@ tunable_policy(`xdm_sysadm_login',`
|
||||
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
@ -29157,7 +29168,7 @@ index 8b40377..23560f0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -518,8 +893,36 @@ optional_policy(`
|
||||
@@ -518,8 +894,36 @@ optional_policy(`
|
||||
dbus_system_bus_client(xdm_t)
|
||||
dbus_connect_system_bus(xdm_t)
|
||||
|
||||
@ -29195,7 +29206,7 @@ index 8b40377..23560f0 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -530,6 +933,20 @@ optional_policy(`
|
||||
@@ -530,6 +934,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29216,7 +29227,7 @@ index 8b40377..23560f0 100644
|
||||
hostname_exec(xdm_t)
|
||||
')
|
||||
|
||||
@@ -547,28 +964,78 @@ optional_policy(`
|
||||
@@ -547,28 +965,78 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29304,7 +29315,7 @@ index 8b40377..23560f0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -580,6 +1047,14 @@ optional_policy(`
|
||||
@@ -580,6 +1048,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29319,7 +29330,7 @@ index 8b40377..23560f0 100644
|
||||
xfs_stream_connect(xdm_t)
|
||||
')
|
||||
|
||||
@@ -594,7 +1069,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
||||
@@ -594,7 +1070,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
|
||||
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
|
||||
|
||||
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
|
||||
@ -29328,7 +29339,7 @@ index 8b40377..23560f0 100644
|
||||
|
||||
# setuid/setgid for the wrapper program to change UID
|
||||
# sys_rawio is for iopl access - should not be needed for frame-buffer
|
||||
@@ -604,8 +1079,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
@@ -604,8 +1080,11 @@ allow xserver_t input_xevent_t:x_event send;
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
@ -29341,7 +29352,7 @@ index 8b40377..23560f0 100644
|
||||
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow xserver_t self:fd use;
|
||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||
@@ -618,8 +1096,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
@@ -618,8 +1097,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xserver_t self:udp_socket create_socket_perms;
|
||||
@ -29357,7 +29368,7 @@ index 8b40377..23560f0 100644
|
||||
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
|
||||
@@ -627,6 +1112,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||
@@ -627,6 +1113,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
|
||||
|
||||
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
|
||||
|
||||
@ -29368,7 +29379,7 @@ index 8b40377..23560f0 100644
|
||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||
@@ -638,25 +1127,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
@@ -638,25 +1128,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||
files_search_var_lib(xserver_t)
|
||||
|
||||
@ -29405,7 +29416,7 @@ index 8b40377..23560f0 100644
|
||||
corenet_all_recvfrom_netlabel(xserver_t)
|
||||
corenet_tcp_sendrecv_generic_if(xserver_t)
|
||||
corenet_udp_sendrecv_generic_if(xserver_t)
|
||||
@@ -677,23 +1173,28 @@ dev_rw_apm_bios(xserver_t)
|
||||
@@ -677,23 +1174,28 @@ dev_rw_apm_bios(xserver_t)
|
||||
dev_rw_agp(xserver_t)
|
||||
dev_rw_framebuffer(xserver_t)
|
||||
dev_manage_dri_dev(xserver_t)
|
||||
@ -29437,7 +29448,7 @@ index 8b40377..23560f0 100644
|
||||
|
||||
# brought on by rhgb
|
||||
files_search_mnt(xserver_t)
|
||||
@@ -705,6 +1206,14 @@ fs_search_nfs(xserver_t)
|
||||
@@ -705,6 +1207,14 @@ fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
|
||||
@ -29452,7 +29463,7 @@ index 8b40377..23560f0 100644
|
||||
mls_xwin_read_to_clearance(xserver_t)
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
@@ -718,20 +1227,18 @@ init_getpgid(xserver_t)
|
||||
@@ -718,20 +1228,18 @@ init_getpgid(xserver_t)
|
||||
term_setattr_unallocated_ttys(xserver_t)
|
||||
term_use_unallocated_ttys(xserver_t)
|
||||
|
||||
@ -29476,7 +29487,7 @@ index 8b40377..23560f0 100644
|
||||
|
||||
userdom_search_user_home_dirs(xserver_t)
|
||||
userdom_use_user_ttys(xserver_t)
|
||||
@@ -739,8 +1246,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
@@ -739,8 +1247,6 @@ userdom_setattr_user_ttys(xserver_t)
|
||||
userdom_read_user_tmp_files(xserver_t)
|
||||
userdom_rw_user_tmpfs_files(xserver_t)
|
||||
|
||||
@ -29485,7 +29496,7 @@ index 8b40377..23560f0 100644
|
||||
ifndef(`distro_redhat',`
|
||||
allow xserver_t self:process { execmem execheap execstack };
|
||||
domain_mmap_low_uncond(xserver_t)
|
||||
@@ -785,17 +1290,54 @@ optional_policy(`
|
||||
@@ -785,17 +1291,54 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29542,7 +29553,7 @@ index 8b40377..23560f0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -803,6 +1345,10 @@ optional_policy(`
|
||||
@@ -803,6 +1346,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -29553,7 +29564,7 @@ index 8b40377..23560f0 100644
|
||||
xfs_stream_connect(xserver_t)
|
||||
')
|
||||
|
||||
@@ -818,18 +1364,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
@@ -818,18 +1365,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
@ -29578,7 +29589,7 @@ index 8b40377..23560f0 100644
|
||||
can_exec(xserver_t, xkb_var_lib_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
@@ -842,26 +1387,21 @@ init_use_fds(xserver_t)
|
||||
@@ -842,26 +1388,21 @@ init_use_fds(xserver_t)
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -29613,7 +29624,7 @@ index 8b40377..23560f0 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -912,7 +1452,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
@@ -912,7 +1453,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
@ -29622,7 +29633,7 @@ index 8b40377..23560f0 100644
|
||||
# operations allowed on all windows
|
||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||
|
||||
@@ -966,11 +1506,31 @@ allow x_domain self:x_resource { read write };
|
||||
@@ -966,11 +1507,31 @@ allow x_domain self:x_resource { read write };
|
||||
# can mess with the screensaver
|
||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||
|
||||
@ -29654,7 +29665,7 @@ index 8b40377..23560f0 100644
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@@ -992,18 +1552,148 @@ tunable_policy(`! xserver_object_manager',`
|
||||
@@ -992,18 +1553,148 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
@ -35595,7 +35606,7 @@ index 0d4c8d3..537aa42 100644
|
||||
+ ps_process_pattern($1, ipsec_mgmt_t)
|
||||
+')
|
||||
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
|
||||
index 312cd04..324b3af 100644
|
||||
index 312cd04..102b975 100644
|
||||
--- a/policy/modules/system/ipsec.te
|
||||
+++ b/policy/modules/system/ipsec.te
|
||||
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
|
||||
@ -35702,7 +35713,7 @@ index 312cd04..324b3af 100644
|
||||
|
||||
dev_read_sysfs(ipsec_t)
|
||||
dev_read_rand(ipsec_t)
|
||||
@@ -157,22 +178,31 @@ files_dontaudit_search_home(ipsec_t)
|
||||
@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t)
|
||||
fs_getattr_all_fs(ipsec_t)
|
||||
fs_search_auto_mountpoints(ipsec_t)
|
||||
|
||||
@ -35711,6 +35722,7 @@ index 312cd04..324b3af 100644
|
||||
term_use_console(ipsec_t)
|
||||
term_dontaudit_use_all_ttys(ipsec_t)
|
||||
|
||||
+auth_use_pam(ipsec_t)
|
||||
auth_use_nsswitch(ipsec_t)
|
||||
+auth_read_home_content(ipsec_t)
|
||||
|
||||
@ -35736,7 +35748,7 @@ index 312cd04..324b3af 100644
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ipsec_t)
|
||||
@@ -182,19 +212,30 @@ optional_policy(`
|
||||
@@ -182,19 +213,30 @@ optional_policy(`
|
||||
udev_read_db(ipsec_t)
|
||||
')
|
||||
|
||||
@ -35771,7 +35783,7 @@ index 312cd04..324b3af 100644
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
|
||||
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
|
||||
@@ -208,12 +249,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||
@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
|
||||
|
||||
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
|
||||
@ -35787,7 +35799,7 @@ index 312cd04..324b3af 100644
|
||||
|
||||
# _realsetup needs to be able to cat /var/run/pluto.pid,
|
||||
# run ps on that pid, and delete the file
|
||||
@@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||
@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
||||
kernel_getattr_core_if(ipsec_mgmt_t)
|
||||
kernel_getattr_message_if(ipsec_mgmt_t)
|
||||
|
||||
@ -35804,7 +35816,7 @@ index 312cd04..324b3af 100644
|
||||
files_read_kernel_symbol_table(ipsec_mgmt_t)
|
||||
files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
|
||||
@@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
|
||||
corecmd_exec_bin(ipsec_mgmt_t)
|
||||
corecmd_exec_shell(ipsec_mgmt_t)
|
||||
|
||||
@ -35813,7 +35825,7 @@ index 312cd04..324b3af 100644
|
||||
dev_read_rand(ipsec_mgmt_t)
|
||||
dev_read_urand(ipsec_mgmt_t)
|
||||
|
||||
@@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
||||
@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
|
||||
files_read_etc_files(ipsec_mgmt_t)
|
||||
files_exec_etc_files(ipsec_mgmt_t)
|
||||
files_read_etc_runtime_files(ipsec_mgmt_t)
|
||||
@ -35821,7 +35833,7 @@ index 312cd04..324b3af 100644
|
||||
files_read_usr_files(ipsec_mgmt_t)
|
||||
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
|
||||
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
|
||||
@@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
|
||||
fs_list_tmpfs(ipsec_mgmt_t)
|
||||
|
||||
term_use_console(ipsec_mgmt_t)
|
||||
@ -35833,7 +35845,7 @@ index 312cd04..324b3af 100644
|
||||
|
||||
init_read_utmp(ipsec_mgmt_t)
|
||||
init_use_script_ptys(ipsec_mgmt_t)
|
||||
@@ -288,17 +345,28 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||
@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t)
|
||||
init_use_fds(ipsec_mgmt_t)
|
||||
init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
|
||||
|
||||
@ -35867,7 +35879,7 @@ index 312cd04..324b3af 100644
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ipsec_mgmt_t)
|
||||
@@ -322,6 +390,10 @@ optional_policy(`
|
||||
@@ -322,6 +391,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -35878,7 +35890,7 @@ index 312cd04..324b3af 100644
|
||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
@@ -335,7 +407,7 @@ optional_policy(`
|
||||
@@ -335,7 +408,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow racoon_t self:capability { net_admin net_bind_service };
|
||||
@ -35887,7 +35899,7 @@ index 312cd04..324b3af 100644
|
||||
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
|
||||
allow racoon_t self:netlink_selinux_socket { bind create read };
|
||||
allow racoon_t self:udp_socket create_socket_perms;
|
||||
@@ -370,13 +442,12 @@ kernel_request_load_module(racoon_t)
|
||||
@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t)
|
||||
corecmd_exec_shell(racoon_t)
|
||||
corecmd_exec_bin(racoon_t)
|
||||
|
||||
@ -35907,7 +35919,7 @@ index 312cd04..324b3af 100644
|
||||
corenet_udp_bind_isakmp_port(racoon_t)
|
||||
corenet_udp_bind_ipsecnat_port(racoon_t)
|
||||
|
||||
@@ -401,10 +472,10 @@ locallogin_use_fds(racoon_t)
|
||||
@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t)
|
||||
logging_send_syslog_msg(racoon_t)
|
||||
logging_send_audit_msgs(racoon_t)
|
||||
|
||||
@ -35920,7 +35932,7 @@ index 312cd04..324b3af 100644
|
||||
auth_can_read_shadow_passwords(racoon_t)
|
||||
tunable_policy(`racoon_read_shadow',`
|
||||
auth_tunable_read_shadow(racoon_t)
|
||||
@@ -438,9 +509,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t)
|
||||
|
||||
locallogin_use_fds(setkey_t)
|
||||
|
||||
@ -42470,7 +42482,7 @@ index efa9c27..536a514 100644
|
||||
+ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t)
|
||||
+')
|
||||
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
|
||||
index 1447687..d5e6fb9 100644
|
||||
index 1447687..0b1da4d 100644
|
||||
--- a/policy/modules/system/setrans.te
|
||||
+++ b/policy/modules/system/setrans.te
|
||||
@@ -12,6 +12,7 @@ gen_require(`
|
||||
@ -42481,7 +42493,15 @@ index 1447687..d5e6fb9 100644
|
||||
|
||||
type setrans_initrc_exec_t;
|
||||
init_script_file(setrans_initrc_exec_t)
|
||||
@@ -78,7 +79,6 @@ locallogin_dontaudit_use_fds(setrans_t)
|
||||
@@ -49,6 +50,7 @@ manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
|
||||
manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
|
||||
files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
|
||||
|
||||
+kernel_read_system_state(setrans_t)
|
||||
kernel_read_kernel_sysctls(setrans_t)
|
||||
kernel_read_proc_symlinks(setrans_t)
|
||||
|
||||
@@ -78,7 +80,6 @@ locallogin_dontaudit_use_fds(setrans_t)
|
||||
|
||||
logging_send_syslog_msg(setrans_t)
|
||||
|
||||
@ -45266,10 +45286,10 @@ index 0000000..21f7c14
|
||||
+')
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
new file mode 100644
|
||||
index 0000000..f4783a5
|
||||
index 0000000..605f160
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -0,0 +1,904 @@
|
||||
@@ -0,0 +1,909 @@
|
||||
+policy_module(systemd, 1.0.0)
|
||||
+
|
||||
+#######################################
|
||||
@ -45832,6 +45852,8 @@ index 0000000..f4783a5
|
||||
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+allow systemd_notify_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+dev_write_kmsg(systemd_notify_t)
|
||||
+
|
||||
+domain_use_interactive_fds(systemd_notify_t)
|
||||
+
|
||||
+fs_getattr_cgroup_files(systemd_notify_t)
|
||||
@ -46105,10 +46127,13 @@ index 0000000..f4783a5
|
||||
+#
|
||||
+# systemd_gpt_generator domain
|
||||
+#
|
||||
+
|
||||
+dev_read_sysfs(systemd_gpt_generator_t)
|
||||
+dev_write_kmsg(systemd_gpt_generator_t)
|
||||
+dev_read_nvme(systemd_gpt_generator_t)
|
||||
+
|
||||
+storage_raw_read_fixed_disk(systemd_gpt_generator_t)
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# systemd_resolved domain
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 178%{?dist}
|
||||
Release: 179%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -670,6 +670,29 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Mar 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-179
|
||||
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface.
|
||||
- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."
|
||||
- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content.
|
||||
- Allow pcp_pmie and pcp_pmlogger to read all domains state.
|
||||
- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717
|
||||
- Merge pull request #108 from rhatdan/rkt
|
||||
- Merge pull request #109 from rhatdan/virt_sandbox
|
||||
- Add new interface to define virt_sandbox_network domains
|
||||
- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port.
|
||||
- Fix typo in drbd policy
|
||||
- Remove declaration of empty booleans in virt policy.
|
||||
- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs.
|
||||
- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files.
|
||||
- Additional rules to make rkt work in enforcing mode
|
||||
- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020
|
||||
- Allow ipsec to use pam. rhbz#1317988
|
||||
- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968
|
||||
- Allow setrans daemon to read /proc/meminfo.
|
||||
- Merge pull request #107 from rhatdan/rkt-base
|
||||
- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used.
|
||||
- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t.
|
||||
|
||||
* Thu Mar 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-178
|
||||
- Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution
|
||||
- Add support systemd-resolved.
|
||||
|
Loading…
Reference in New Issue
Block a user